Feature/dev 930

ansible.cfg

@@ -6,3 +6,4 @@ callbacks_enabled = profile_tasks
 interpreter_python = auto_silent
 log_path=last_ansible_run
 forks = 30
+ssh_args = -o ServerAliveInterval=10

group_vars/stage_dev/plain.yml

@@ -108,3 +108,10 @@ gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__
 
 custom_stage_plattform_users:
   - hp.wissenbach
+
+kubernetes_with_prometheus: False
+cert_manager_dplmt: False
+kubernetes_with_certmanager: False
+kubernetes_with_extdns: False
+kubernetes_with_ingress: False
+kubernetes_with_gitea: False

group_vars/stage_devscr/plain.yml

@@ -29,3 +29,4 @@ kubernetes_with_awx: False
 kubernetes_with_gitea: True
 
 shared_service_hostname_harbor: "{{ stage }}-harbor.{{ domain }}"
+

group_vars/stage_qa/argocd.yml

@@ -0,0 +1,158 @@
+---
+
+argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
+k8s_argocd_helm__name: "argo-cd"
+k8s_argocd_helm__release_namespace: "argo-cd"
+
+k8s_argocd_with_keycloak: False
+
+# https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
+k8s_argocd_helm__release_values:
+  repoServer:
+    serviceAccount:
+      create: true
+      name: argo-cd-argocd-repo-server
+    rbac:
+    - apiGroups:
+      - ""
+      resources:
+      - secrets
+      verbs:
+      - get
+    logLevel: warn
+    logFormat: json
+    env:
+      - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+        value: "0"
+      - name: ARGOCD_EXEC_TIMEOUT
+        value: "300s"
+      - name: XDG_CONFIG_HOME
+        value: /.config
+      - name: GNUPGHOME
+        value: /home/argocd/.gnupg
+      - name: HELM_PLUGINS
+        value: /custom-tools/helm-plugins/
+      - name: HELM_SECRETS_SOPS_PATH
+        value: /custom-tools/sops
+      - name: HELM_SECRETS_VALS_PATH
+        value: /custom-tools/vals
+      - name: HELM_SECRETS_KUBECTL_PATH
+        value: /custom-tools/kubectl
+      - name: HELM_SECRETS_CURL_PATH
+        value: /custom-tools/curl
+      # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
+      - name: HELM_SECRETS_KEY_LOCATION_PREFIX
+        value: "/sops-gpg/"
+      - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
+        value: "false"
+    volumes:
+      - name: custom-tools
+        emptyDir: {}
+      - name: custom-tools-helm
+        emptyDir: {}
+      - name: gnupg-home
+        emptyDir: {}
+      - name: sops-gpg
+        secret:
+          secretName: sops-gpg
+    volumeMounts:
+      - mountPath: /home/argocd/.gnupg
+        name: gnupg-home
+        subPath: .gnupg
+      - mountPath: /usr/local/bin/kustomize
+        name: custom-tools
+        subPath: kustomize
+        # Verify this matches a XDG_CONFIG_HOME=/.config env variable
+      - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
+        name: custom-tools
+        subPath: ksops
+      - mountPath: /custom-tools/helm-plugins
+        name: custom-tools-helm
+        subPath: helm-plugins
+      - mountPath: /custom-tools/kubectl
+        name: custom-tools-helm
+        subPath: kubectl
+      - mountPath: /custom-tools/sops
+        name: custom-tools-helm
+        subPath: sops
+      - mountPath: /custom-tools/vals
+        name: custom-tools-helm
+        subPath: vals
+    initContainers:
+      - name: 1-install-ksops
+        image: viaductoss/ksops:v3.0.1
+        command: ["/bin/sh", "-c"]
+        args:
+          - echo "Installing KSOPS...";
+            mv ksops /custom-tools/;
+            mv $GOPATH/bin/kustomize /custom-tools/;
+            echo "Done.";
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+      - name: 2-download-tools
+        image: alpine:latest
+        command: [sh, -ec]
+        env:
+          - name: HELM_SECRETS_VERSION
+            value: "3.12.0"
+          - name: KUBECTL_VERSION
+            value: "1.24.3"
+          - name: VALS_VERSION
+            value: "0.18.0"
+          - name: SOPS_VERSION
+            value: "3.7.3"
+        args:
+          - |
+            echo "Installing helm secrets...";
+            mkdir -p /custom-tools/helm-plugins
+            wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
+            echo "Done.";
+
+            echo "Downloading SOPS=${SOPS_VERSION} and kubectl ...";
+            wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
+            wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
+            echo "Done.";
+
+            echo "Downloading vals...";
+            wget -qO- https://github.com/variantdev/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;
+            echo "Done.";
+
+            chmod +x /custom-tools/*;
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools-helm
+      - name: 3-import-gpg-key
+        image: argoproj/argocd:v2.2.5
+        command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
+        env:
+          - name: GNUPGHOME
+            value: /gnupg-home/.gnupg
+        volumeMounts:
+          - mountPath: /sops-gpg
+            name: sops-gpg
+          - mountPath: /gnupg-home
+            name: gnupg-home
+  server:
+    logLevel: warn
+    logFormat: json
+    config:
+      kustomize.buildOptions: "--enable-alpha-plugins"
+      helm.valuesFileSchemes: >-
+        secrets+gpg-import, secrets+gpg-import-kubernetes,
+        secrets+age-import, secrets+age-import-kubernetes,
+        secrets,secrets+literal,
+        https
+    service:
+      sessionAffinity: ClientIP
+  dex:
+    enabled: false
+  applicationSet:
+    enabled: false
+  configs:
+    secret:
+      argocdServerAdminPassword: '{{ argocd_server_admin_password | password_hash("bcrypt") }}'

group_vars/stage_qa/bootstrap.yml

@@ -0,0 +1,12 @@
+---
+
+argocd_bootstrap_infrastructure: true
+
+harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
+harbor_bootstrap_helm_name: "infrastructure"
+harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
+harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}"
+
+gitea_bootstrap_url: "https://qa-gitea-01.smardigo.digital/qanso/qanso-argocd"
+gitea_bootstrap_username: "{{ gitea_admin_username }}"
+gitea_bootstrap_password: "{{ gitea_admin_password }}"

group_vars/stage_qa/plain.yml

@@ -1,6 +1,7 @@
 ---
 
 stage: "qa"
+stage_kube: "{{ stage }}nso"
 
 # TODO read configuration with hetzner rest api
 shared_service_network: "10.1.0.0/16"
@@ -104,3 +105,10 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
 gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+
+kubernetes_with_prometheus: False
+cert_manager_dplmt: False
+kubernetes_with_certmanager: False
+kubernetes_with_extdns: False
+kubernetes_with_ingress: False
+kubernetes_with_gitea: False

group_vars/stage_qa/prometheus.yml

@@ -0,0 +1,3 @@
+---
+prometheus_tsdb_rentention_time: '2w'
+kubernetes_prometheus_endpoint: "qanso-prometheus.{{ domain }}"

kubernetes.yml

@@ -23,10 +23,6 @@
 
   roles:
     - { role: kubernetes/base }
-    - role: kubernetes/argocd
-      when: kubernetes_with_argocd | default(true)
-      tags:
-        - argocd
 
 #    - { role: kubernetes/namespace }
     - role: kubernetes/cloud_controller_manager
@@ -34,6 +30,12 @@
       tags:
         - ccm
     - { role: kubernetes/container_storage_interface }
+
+    - role: kubernetes/argocd
+      when: kubernetes_with_argocd | default(true)
+      tags:
+        - argocd
+
 #    - role: kubernetes/prometheus
 #      tags:
 #        - prometheus

roles/kubernetes/base/tasks/main.yml

@@ -8,7 +8,7 @@
     name: "{{ item }}"
     state: present
   loop:
-    - python3-pip=20.0.2-5ubuntu1.7
+    - python3-pip=20.0.2-5ubuntu1.8
   when:
   - "'kube_control_plane' in group_names"
   tags:

stage-qa

@@ -56,19 +56,21 @@ qa-prometheus-01
 #qa-webdav-01
 
 [kube_control_plane]
-qa-kube-master-01
+qanso-kube-cpl-01
-qa-kube-master-02
+qanso-kube-cpl-02
-qa-kube-master-03
+qanso-kube-cpl-03
 
 [etcd]
-qa-kube-master-01
+qanso-kube-cpl-01
-qa-kube-master-02
+qanso-kube-cpl-02
-qa-kube-master-03
+qanso-kube-cpl-03
 
 [kube_node]
-qa-kube-node-01
+qanso-kube-node-01
-qa-kube-node-02
+qanso-kube-node-02
-qa-kube-node-03
+qanso-kube-node-03
+qanso-kube-node-04
+qanso-kube-node-05
 
 [k8s_cluster:children]
 kube_control_plane